[SOLVED] SSH issue with exchange key only on the host

[Bambusa29]

Hi all,

I use OpenSSH agent (with WSL2) for my SSH connections. I have a issue only with the proxmox host, all is fine with VM, LXC and my two NAS.
I use the same method and same config (sshd_config, firewall rules...) for all the connections.
My keys and passphrase are stored in KeePassXC.
I have verified all the perms for the client and served side.

I have also an password acces with rsync over ssh from my NAS to proxmox (another user is used) and all is fine.

Here the debug in proxmox syslog :

2023-11-27T10:49:58.877662+01:00 proxmox1 sshd[2024402]: debug1: userauth_pubkey: publickey test pkalg ssh-ed25519 pkblob ED25519 SHA256:HBD7awvn6GYW0f1lti1D8neCdTr2Bzn5hwzssCWHBdA [preauth]
2023-11-27T10:49:58.877704+01:00 proxmox1 sshd[2024402]: debug1: temporarily_use_uid: 1000/1000 (e=0/0)
2023-11-27T10:49:58.877916+01:00 proxmox1 sshd[2024402]: debug1: trying public key file /home/yannick/.ssh/authorized_keys
2023-11-27T10:49:58.877962+01:00 proxmox1 sshd[2024402]: debug1: fd 5 clearing O_NONBLOCK
2023-11-27T10:49:58.878028+01:00 proxmox1 sshd[2024402]: debug1: restore_uid: 0/0
Failed publickey for yannick from 192.168.2.5 port 57334 ssh2: ED25519 SHA256:HBD7awvn6GYW0f1lti1D8neCdTr2Bzn5hwzssCWHBdA

Here the debug client side :

debug1: Offering public key: /home/yannick/.ssh/proxmox.pub ED25519 SHA256:HBD7awvn6GYW0f1lti1D8neCdTr2Bzn5hwzssCWHBdA explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
yannick@192.168.2.254: Permission denied (publickey).

My config file, client side :

Host proxmox
    HostName 192.168.2.254
    User yannick
    ForwardAgent yes
    Port 1122
    IdentityFile /home/yannick/.ssh/proxmox.pub
    IdentitiesOnly yes

Reading the pub key on the server side in 'authorised_keys' seem fail but don'tknow why...
Any ideas what wong ?

 

[MarkusF]

Hello,

the IdentityFile should be the private key, so remove the ".pub".

 

[Bambusa29]

Hello,

the IdentityFile should be the private key, so remove the ".pub".

Hi Markus,

I use IdentityFile with a public key to select the good private key in my SSH agent, otherwise it use one by one all the key stored in the agent.

I use the same config for all my ssh and only Proxmox host ssh failed :

Host omv1
    HostName 192.168.2.253
    User yannick
    ForwardAgent yes
    Port 1122
    IdentityFile /home/yannick/.ssh/omv1.pub
    IdentitiesOnly yes

Host omv2
    HostName 192.168.2.252
    User yannick
    ForwardAgent yes
    Port 1122
    IdentityFile /home/yannick/.ssh/omv2.pub
    IdentitiesOnly yes

Host proxmox
    HostName 192.168.2.254
    User yannick
    ForwardAgent yes
    Port 1122
    IdentityFile /home/yannick/.ssh/proxmox.pub
    IdentitiesOnly yes

Host wireguard
    HostName 192.168.3.19
    User yannick
    ForwardAgent yes
    Port 1122
    IdentityFile /home/yannick/.ssh/wireguard.pub
    IdentitiesOnly yes

Host compta
    HostName 192.168.2.55
    User yannick
    ForwardAgent yes
    Port 1122
    IdentityFile /home/yannick/.ssh/compta.pub
    IdentitiesOnly yes
   
Host gitea
    HostName 192.168.3.18
    User yannick
    ForwardAgent yes
    Port 1122
    IdentityFile /home/yannick/.ssh/gitea.pub
    IdentitiesOnly yes

Why only proxmox host failed ?

 

[MarkusF]

But it should not work with the pubic key:
https://unix.stackexchange.com/ques...ssh-config-identityfile-private-or-public-key
https://linux.die.net/man/5/ssh_config

 

[Bambusa29]

But it should not work with the pubic key:
https://unix.stackexchange.com/ques...ssh-config-identityfile-private-or-public-key
https://linux.die.net/man/5/ssh_config

Yes it's true but with a ssh agent, you can use the public key to select a specific private key in the agent :

https://unix.stackexchange.com/ques...g-host-specific-keys-from-ssh-config-file-and
https://serverfault.com/questions/599560/use-a-specific-forwarded-key-from-ssh-agent/599565#599565
https://blog.cake.sh/2021/12/managing-multiple-ssh-keys-on-windows-with-keepassxc-and-openssh/

The trick is do not expose private key file on your computer.

I haven't any problem with this method with my VM, LXC container or with my NAS, only with the Proxmox host.

 

[MarkusF]

oh i see, you are right: It can be read in the ssh man page.

Can you see the public key when using this command?
ssh-add -l

Because your error looks similar to when i start ssh-agent and do not add the key to it.

 

[Bambusa29]

the agent is charged automaticaly when i unlock my vault and keys deleted when my vault is locked.

I have solved my issue !!
I created omce again key pair (ed25519), copy the private and the passphrase in my vault and copy public key local and in proxmox.
I have created several time the pair key and i suspect i haved a old pub key in my .ssh local dir for the proxmox access

 

[LnxBil]

the agent is charged automaticaly when i unlock my vault and keys deleted when my vault is locked.

How did you do that? What software is involved there?

 

[Bambusa29]

How did you do that? What software is involved there?

I use the password manager KeePassXC . You can activate ssh agent integration in the options and keep secret you ssh private key.

And after for each entry you create for a ssh connexion, you can tell him add the key when unlock db and delete key when db is locked.

 

[LnxBil]

I use the password manager KeePassXC . You can activate ssh agent integration in the options and keep secret you ssh private key.

And after for each entry you create for a ssh connexion, you can tell him add the key when unlock db and delete key when db is locked.

Thank you. that's nice. Unfortunately, I stopped using keepass years ago and went for vaultwarden. I needed fine grained control to entries. There are some projects allowing ssh-agent integration, I'll investigage.

 

[Bambusa29]

Thank you. that's nice. Unfortunately, I stopped using keepass years ago and went for vaultwarden. I needed fine grained control to entries. There are some projects allowing ssh-agent integration, I'll investigage.

I used selfhosted VaultWarden (great but need docker, hard install without) too before and after changing the network of my homelab, i migrate to KeePassXC (much simple to manage).

 

[LnxBil]

great but need docker, hard install without

I don't get why people still try without It's so much easier to deploy software to anything else we had all those years.

Sadly, 98% of all publicly available containers are built without security in mind, e.g. don't run in read only mode or unpriviledged users.